Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET Impersonation in a Windows 2003 non domain member server

Reply
Thread Tools

ASP.NET Impersonation in a Windows 2003 non domain member server

 
 
Johann Granados
Guest
Posts: n/a
 
      04-20-2007
Hi everybody,

Is it possible to do ASP.NET Impersonation in a windows 2003 non domain
member server (locate at the DMZ)? If so, how can I do that?

Thanks in advance for your kind reply

Best regards,

Johann Granados
Staff DotNet
 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      04-20-2007
You need Windows authentication enabled for that.

Then you either generally impersonate for the length of the whole request
using the <identity impersonate="true" /> config switch - or programmatically
by calling

using (((WindowsIdentity)Context.User.Identity).Imperson ate())
{
}

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi everybody,
>
> Is it possible to do ASP.NET Impersonation in a windows 2003 non
> domain member server (locate at the DMZ)? If so, how can I do that?
>
> Thanks in advance for your kind reply
>
> Best regards,
>
> Johann Granados
> Staff DotNe



 
Reply With Quote
 
 
 
 
Johann Granados
Guest
Posts: n/a
 
      04-20-2007
Hi Dominick,

Thanks a lot for your answer.

I've tried both approaches you mention. They both work very well in a
domain member server but they don't work in a non domain member server (cause
there are no domain controller to authenticate the user). What I need is a
way to call a server component located at the internal network by passing it
a windows identity credential created at the non domain member server.

Thanks again for your help.

Best regards,

Johann Granados

"Dominick Baier" wrote:

> You need Windows authentication enabled for that.
>
> Then you either generally impersonate for the length of the whole request
> using the <identity impersonate="true" /> config switch - or programmatically
> by calling
>
> using (((WindowsIdentity)Context.User.Identity).Imperson ate())
> {
> }
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > Hi everybody,
> >
> > Is it possible to do ASP.NET Impersonation in a windows 2003 non
> > domain member server (locate at the DMZ)? If so, how can I do that?
> >
> > Thanks in advance for your kind reply
> >
> > Best regards,
> >
> > Johann Granados
> > Staff DotNet

>
>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      04-20-2007
Yeah, you can't really do this as you can't create a domain identity to
impersonate on a non-domain machine. That's not the way Windows security
works. You would need a way to do this that didn't not require
impersonation.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Johann Granados" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Hi Dominick,
>
> Thanks a lot for your answer.
>
> I've tried both approaches you mention. They both work very well in a
> domain member server but they don't work in a non domain member server
> (cause
> there are no domain controller to authenticate the user). What I need is
> a
> way to call a server component located at the internal network by passing
> it
> a windows identity credential created at the non domain member server.
>
> Thanks again for your help.
>
> Best regards,
>
> Johann Granados
>



 
Reply With Quote
 
Johann Granados
Guest
Posts: n/a
 
      04-20-2007
I found this article about Protocol Transition:
http://msdn2.microsoft.com/en-us/library/ms998355.aspx. It mentioned the
Service-for-User-to-Self (S4U2Self) for Kerberos implemented in Windows
Server 2003 (this service allows the developer to obtain a WindowsIdentiy
without passing out a password). The article does not mentioned if this
service works in a non domain member server but I guess it may does. Have
you ever heard this service? Have you used it?

Best regards,

--
Johann Granados
MVP Compact Framework
Costa Rica, Central America


"Joe Kaplan" wrote:

> Yeah, you can't really do this as you can't create a domain identity to
> impersonate on a non-domain machine. That's not the way Windows security
> works. You would need a way to do this that didn't not require
> impersonation.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Johann Granados" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
> > Hi Dominick,
> >
> > Thanks a lot for your answer.
> >
> > I've tried both approaches you mention. They both work very well in a
> > domain member server but they don't work in a non domain member server
> > (cause
> > there are no domain controller to authenticate the user). What I need is
> > a
> > way to call a server component located at the internal network by passing
> > it
> > a windows identity credential created at the non domain member server.
> >
> > Thanks again for your help.
> >
> > Best regards,
> >
> > Johann Granados
> >

>
>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      04-20-2007
I have used it and it won't work for you either if the server isn't a domain
member. Sorry.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Johann Granados" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
>I found this article about Protocol Transition:
> http://msdn2.microsoft.com/en-us/library/ms998355.aspx. It mentioned the
> Service-for-User-to-Self (S4U2Self) for Kerberos implemented in Windows
> Server 2003 (this service allows the developer to obtain a WindowsIdentiy
> without passing out a password). The article does not mentioned if this
> service works in a non domain member server but I guess it may does. Have
> you ever heard this service? Have you used it?
>
> Best regards,
>
> --
> Johann Granados
> MVP Compact Framework
> Costa Rica, Central America
>
>



 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      04-20-2007
OK - you are talking about delegation. Which is something different.

Yeah - you need domain connectivity for that.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi Dominick,
>
> Thanks a lot for your answer.
>
> I've tried both approaches you mention. They both work very well in a
> domain member server but they don't work in a non domain member server
> (cause there are no domain controller to authenticate the user). What
> I need is a way to call a server component located at the internal
> network by passing it a windows identity credential created at the non
> domain member server.
>
> Thanks again for your help.
>
> Best regards,
>
> Johann Granados
>
> "Dominick Baier" wrote:
>
>> You need Windows authentication enabled for that.
>>
>> Then you either generally impersonate for the length of the whole
>> request using the <identity impersonate="true" /> config switch - or
>> programmatically by calling
>>
>> using (((WindowsIdentity)Context.User.Identity).Imperson ate())
>> {
>> }
>> -----
>> Dominick Baier (http://www.leastprivilege.com)
>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>> (http://www.microsoft.com/mspress/books/9989.asp)
>>
>>> Hi everybody,
>>>
>>> Is it possible to do ASP.NET Impersonation in a windows 2003 non
>>> domain member server (locate at the DMZ)? If so, how can I do that?
>>>
>>> Thanks in advance for your kind reply
>>>
>>> Best regards,
>>>
>>> Johann Granados
>>> Staff DotNet



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      04-20-2007
I don't think he can impersonate a domain account on a non-domain member
machine whether or not he wants to delegate. He wouldn't be delegating if
he was using S4U or called LogonUser, but I don't think he can get that
logon token and impersonate it no matter what. Is that your understanding
of how it works?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
message news:(E-Mail Removed) m...
> OK - you are talking about delegation. Which is something different.
>
> Yeah - you need domain connectivity for that.
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications
> (http://www.microsoft.com/mspress/books/9989.asp)
>
>> Hi Dominick,
>>
>> Thanks a lot for your answer.
>>
>> I've tried both approaches you mention. They both work very well in a
>> domain member server but they don't work in a non domain member server
>> (cause there are no domain controller to authenticate the user). What
>> I need is a way to call a server component located at the internal
>> network by passing it a windows identity credential created at the non
>> domain member server.
>>
>> Thanks again for your help.
>>
>> Best regards,
>>
>> Johann Granados
>>
>> "Dominick Baier" wrote:
>>
>>> You need Windows authentication enabled for that.
>>>
>>> Then you either generally impersonate for the length of the whole
>>> request using the <identity impersonate="true" /> config switch - or
>>> programmatically by calling
>>>
>>> using (((WindowsIdentity)Context.User.Identity).Imperson ate())
>>> {
>>> }
>>> -----
>>> Dominick Baier (http://www.leastprivilege.com)
>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>>> (http://www.microsoft.com/mspress/books/9989.asp)
>>>
>>>> Hi everybody,
>>>>
>>>> Is it possible to do ASP.NET Impersonation in a windows 2003 non
>>>> domain member server (locate at the DMZ)? If so, how can I do that?
>>>>
>>>> Thanks in advance for your kind reply
>>>>
>>>> Best regards,
>>>>
>>>> Johann Granados
>>>> Staff DotNet

>
>



 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      04-20-2007
"What I need is a way to call a server component located at the internal
network by passing it a windows identity credential created at the non domain
member server."

Well - the question is - do you need to call the internal component using
client credentials??


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> I don't think he can impersonate a domain account on a non-domain
> member machine whether or not he wants to delegate. He wouldn't be
> delegating if he was using S4U or called LogonUser, but I don't think
> he can get that logon token and impersonate it no matter what. Is
> that your understanding of how it works?
>
> Joe K.
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      04-20-2007
It sounds to me like he just wants a way to call the component period and
needs to impersonate any domain account. Whether or not it is the client's
credential and he is delegating seems to be not as important.

I'm saying that I don't think you can impersonate a domain account on a
non-domain machine, but I'm not totaly positive, so I'm asking you.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
message news:(E-Mail Removed) m...
> "What I need is a way to call a server component located at the internal
> network by passing it a windows identity credential created at the non
> domain member server."
>
> Well - the question is - do you need to call the internal component using
> client credentials??
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications
> (http://www.microsoft.com/mspress/books/9989.asp)
>
>> I don't think he can impersonate a domain account on a non-domain
>> member machine whether or not he wants to delegate. He wouldn't be
>> delegating if he was using S4U or called LogonUser, but I don't think
>> he can get that logon token and impersonate it no matter what. Is
>> that your understanding of how it works?
>>
>> Joe K.
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.NET Impersonation in a Windows 2003 non domain member server =?Utf-8?B?Sm9oYW5uIEdyYW5hZG9z?= ASP .Net 1 04-21-2007 01:44 PM
Impersonation in non domain server Johann Granados ASP .Net Security 1 02-20-2007 05:02 AM



Advertisments